From 4aa9acca0abae98705f31927d28bbca33cbe0c5f Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 10 Feb 2019 21:34:43 +0100 Subject: [PATCH] sysadm: allow resolving dynamic users On a virtual machine using haveged daemon, running "ps" from a sysadm_t user leads to the following output: $ ps -eH -o label,user,pid,cmd ... system_u:system_r:init_t root 1 /sbin/init system_u:system_r:syslogd_t root 223 /usr/lib/systemd/systemd-journald system_u:system_r:lvm_t root 234 /usr/bin/lvmetad -f system_u:system_r:udev_t root 236 /usr/lib/systemd/systemd-udevd system_u:system_r:entropyd_t 65306 266 /usr/bin/haveged --Foreground --verbose=1 User 65306 is a dynamic user attributed by systemd: $ cat /var/run/systemd/dynamic-uid/65306 haveged Running ps leads to the following log: type=USER_AVC msg=audit(1549830356.959:1056): pid=278 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=12038 tpid=1 scontext=sysadm_u:sysadm_r:sysadm_t tcontext=system_u:system_r:init_t tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Allow sysadm_t to resolve dynamic users when systemd is used. After this, "ps" works fine: system_u:system_r:entropyd_t haveged 266 /usr/bin/haveged --Foreground --verbose=1 --- policy/modules/roles/sysadm.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index e411d4fdd..e06c7d361 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -71,6 +71,12 @@ ifndef(`enable_mls',` logging_run_auditctl(sysadm_t, sysadm_r) ') +ifdef(`init_systemd',` + # Allow sysadm to resolve the username of dynamic users by calling + # LookupDynamicUserByUID on org.freedesktop.systemd1. + init_dbus_chat(sysadm_t) +') + tunable_policy(`allow_ptrace',` domain_ptrace_all_domains(sysadm_t) ')